It’s a heavily obfuscated .NET-based malware, but it’s not the most important point in this blog post.

SpyShelter told me the setup file wanted to create a schedule task which will use wscript to run an INI file periodically.

So I found the INI file.

It looks like a INI file on the first sight, but did you mention the first 2 characters? There are the beginning of a comment in some of programming languages like C/C++/JavaScript. And it will be “run” periodically, so script must hide in it.

When I scrolled down to browse other parts of this INI file, I found something abnormal. As the image shown above, there are lots of signs of javascript.

A better way to find the hidden script is just using some text editor to highlight some keywords.

Looks much more better than before.

This script will download a file and run it with “/VERYSILENT” argument, this argument is widely used by some installers.